Recently, David Howells released the latest patch set of the kernel locking feature, which further restricts userspace access or modification of the kernel, and imposes additional restrictions on the root modification of the runtime kernel.
One of the patches binds UEFI Secure Boot and Kernel Lockdown, that is, Lockdown is enabled when UEFI Secure Boot is enabled by default.
efi: Lock down the kernel if booted in secure boot mode
UEFI Secure Boot provides a mechanism for ensuring that the firmware will only load signed bootloaders and kernels. Certain use cases may also require that all kernel modules also be signed. Add a configuration option
that to lock down the kernel – which includes requiring validly signed modules – if the kernel is secure-booted.
Linus Torvalds expressed concern that UEFI Secure Boot and Lockdown are irrelevant, and they have no match.
Look at it this way: maybe lockdown breaks some application because that app does something odd. I get a report of that happening, and it so happens that the reporter is running the same distro I am, so I try it with his exact kernel configuration, and it works for me.
It is *entirely* non-obvious that the reporter happened to run a distro kernel that had secure boot enabled, and I obviously do not.
See what the problem is? Tying these things magically together IS A BAD IDEA.
Linus agrees that Lockdown protects the purpose of kernel mirroring, but opposes the unconditional combination of UEFI SecureBoot and Lockdown as a bad idea.
